The privacy regulation requires covered entities to protect PPI and grant individuals other rights described below, without creating obstacles to care and treatment. It applies to information that is transmitted electronically, orally or on paper.
Full text of regulation
HIPAA states that other federal and state laws that provide more personal privacy protection still apply. LifeWise must also consider:
- State Patients' Bills of Rights and other insurance laws
- State and federal public health laws for sensitive diagnoses, procedures and treatments
- State regulations implementing the federal Gramm-Leach-Bliley Act
Accounting of Disclosures
A person has the right to request an accounting of disclosures made outside a covered entity's routine business functions. LifeWise's routine business functions include payment and healthcare operations, while providers' routine business functions would also include treatment.
Authorization
In most cases, a covered entity must obtain written authorization from the person before using or disclosing his or her PPI for other than routine business functions.
In most cases, our interactions with you will be business as usual. Generally, PPI can be shared between doctors, other providers and the health plan as we carry out "routine business functions" which include the following activities:
- Processing and paying claims
- Determining eligibility and benefit
- Conducting quality audits
- Providing care management and case management services
Business Associates
In most instances, healthcare providers are not the business associates of the health plan, so there won't be changes to your contracts with LifeWise. LifeWise has developed its standard Business Associate Agreements and will be working with vendors and contractors over the next few months to implement them.
Complaints
Individuals have the right to complain to a covered entity and to the U.S. Department of Health and Human Services (DHHS) Secretary if they believe their privacy rights have been violated.
Confidential Communications
Individuals have the right to request that a covered entity communicate with them at an alternate location if they believe that disclosing all or part of their health information could endanger them.
Inspection and Amendment
A person has the right to request to review, obtain copies and amend their PPI.
Minimum Necessary
When requesting or disclosing information, covered entities must ensure that they ask for or disclose the minimum amount of PPI needed to accomplish the intent of the disclosure. Covered entities must also ensure that the access employees have to PPI is limited to the minimum necessary to perform their jobs. However, one covered entity can rely on the request for PPI from another covered entity as being the minimum necessary as long as the requesting covered entity indicates that the PPI is related to treatment, payment or healthcare operations (TPO).
Parents and Minors
In most situations, parents have control over the health information of their minor children. In certain situations, however, state laws give minors rights that take precedence over HIPAA privacy regulations. In some circumstances, state public health and insurance laws prohibit health plans from disclosing sensitive information such as PPI relating to chemical dependency, mental health, reproductive health, HIV/AIDS/STDs - unless the person's specifically authorizes us to do so.
Privacy Notice
All covered entities must provide notice of a patient's privacy rights as well as their privacy practices.
Privacy Official
A covered entity must designate a "Privacy Official" responsible for developing and implementing its privacy policies and procedures.
Research
Covered entities can use a single authorization form for using and disclosing PPI for research, as well as informed consent for the research.
Uses and Disclosures for FDA Regulated Products
Covered entities can disclose PPI to the FDA for public health purposes relating to quality, safety or effectiveness of FDA-regulated products or activities. This includes reporting adverse events and defects or problems with FDA-regulated products.